23.2 C
New York
Friday, July 12, 2024

A New Attack Reveals Everything You Type With 95 Percent Accuracy

It’s been a busy week here on the WIRED Security desk, thanks to the annual Black Hat and Defcon security conferences in Las Vegas, where hackers and researchers reveal their latest findings.

Things kicked off with a doozy. A researcher believes he’s found evidence that a series of spikes in radiation seemingly recorded by sensors at the Chernobyl nuclear facility in the hours following Russia’s February 2022 invasion of Ukraine were manipulated. The findings contradict the official explanation from Ukrainian and international nuclear authorities, prompting calls for a full investigation. If the researcher’s findings are proven accurate, it could have grave implications for nuclear monitoring and geopolitics.

In other troubling news, Intel researchers have uncovered a flaw present in multiple generations of Intel chips. The flaw, dubbed Downfall, is not present in the latest generations of Intel chips, but some of the chips that do have the Downfall vulnerability are still available to buy. The company has rolled out patches for impacted chips.

In the not-fixed-vulnerability category, we head to Boston, where a group of teenagers successfully hacked the city’s subway cards to give themselves unlimited free rides. Their work is actually a follow-up to a 2008 hack by MIT researchers, which prompted the Boston transit authority to file a lawsuit that prevented those researchers from presenting their talk at that year’s Defcon. This time, however, the Massachusetts Bay Transit Authority worked with the teens, who promised not to release key details that would allow someone to replicate their hack. The MBTA says the vulnerability will be addressed through the rollout of a new subway card system in the near future.

Cheating the system isn’t just for public transit. What would you do if you had a device that could allow you to win every hand of poker? That’s what researchers at IOActive created when they set their sights on the widely used card-shuffling machine called a Deckmate 2. By plugging the device into the shuffler’s exposed USB port, they could remotely access the Deckmate 2’s internal camera to learn the order of the cards in the deck, and thus know which cards every player had.

It’s often impossible to catch a malicious hacker in the act. But a team of researchers at the security firm GoSecure managed to catch more than 2,000 hacking attempts with the use of a clever honeypot that allowed them to record the screens of the hackers in real time. Researchers at Panasonic, meanwhile, turn the company’s internet-of-things devices into honeypots to keep track of the types of malware being used against IoT gadgets and better protect their products against them.

The international tech giant Yandex earlier this year suffered a leak of its source code, which is proving useful to researchers. One such researcher dug into the code, which revealed the vast quantities of data the company collects and how it uses that data to sort people into different groups. It’s one of the most revealing looks into how the black box of invasive online advertising actually works.

Most PopularBusinessThe End of Airbnb in New York

Amanda Hoover

BusinessThis Is the True Scale of New York’s Airbnb Apocalypse

Amanda Hoover

CultureStarfield Will Be the Meme Game for Decades to Come

Will Bedingfield

GearThe 15 Best Electric Bikes for Every Kind of Ride

Adrienne So

Of course, generative AI tools are the talk of the security industry this year. And Microsoft is no exception. In fact, since 2018, the company has had an AI red team that attacks AI tools to find vulnerabilities and help prevent them from behaving badly.

Outside of Black Hat and Defcon coverage, we detailed the ins and outs of the data privacy that HIPPA provides people in the US, and explained how to use Google's new “Results About You” tool to get your personal information removed from search results.

But that’s not all. Each week, we round up the security news that we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

A New Attack Reveals Everything You Type With 95 Percent Accuracy

Your keyboard may be exposing your secrets without you even knowing it. Researchers in the UK developed a deep-learning algorithm that can figure out what a person is typing just by listening to keystrokes. In a best-case scenario (for an attacker, that is), the algorithm is 95 percent accurate. The researchers even tested it over Zoom and found it performed with 93 percent accuracy.

Now, if you’re thinking the researchers tested the attack on the noisiest mechanical keyboard they could find, you’d be wrong. They performed their tests on a MacBook Pro. And the attack doesn’t even require fancy recording equipment—a phone’s microphone works just fine. Someone who successfully carries out the attack could use it to learn a target’s passwords or snoop on their conversations. These kinds of acoustic attacks aren’t new, but this research shows they’re getting frighteningly accurate and easier to pull off in the wild.

A Disastrous Week for UK Data Breaches

A series of data breaches rocked the United Kingdom this week. On August 8, the Electoral Commission, the independent body responsible for overseeing elections and regulating political finances, revealed a cyberattack had exposed the data of 40 million voters to hackers. The organization has been unable to determine whether data was taken; however, it says that full names, emails, phone numbers, home addresses, and data provided during contact with the body could be impacted. “The attack has not had an impact on the electoral process,” the commission said. (Elections are run by local councils.)

The commission has, however, been criticized for how it communicated the cyberattack: The incident happened in August 2021 but was detected only in October 2022, and then finally communicated to the public nine months later. It has also been reported the breach may be linked to an unpatched Microsoft Exchange zero-day.

But that wasn’t all. The same day, the Police Service of Northern Ireland (PSNI) accidentally published the names and roles of 10,000 officers and staff in response to a Freedom of Information request. The breach, arguably, has more significant ramifications than that of the Electoral Commission. Officers working in intelligence and security services were included in the breach, which stayed online for three hours. The PSNI blamed “human error” for the breach, and the British data regulator, the Information Commissioner’s Office, has opened an investigation. (Previously, the regulator has issued guidance on making sure information is not accidentally disclosed via spreadsheets.) Since the breach, officers have expressed concerns about their safety, and the police service has been reviewing moving people to different roles for safety reasons.

North Korea’s Lazarus Group Hacked a Russian Missile Maker

North Korean hackers don’t just steal cryptocurrency, they also may have stolen Russia’s missile secrets. According to Reuters, the state-linked hacking group Lazarus breached the networks of NPO Mashinostroyeniya, a major Russian missile manufacturer, in late 2021. The breach wasn’t detected until May 2022. A researcher with the cybersecurity firm SentinelOne who discovered the breach said that the hackers would have had “the ability to read email traffic, jump between networks, and extract data,” Reuters reports.

It is unclear what exactly the Lazarus hackers stole while inside the NPO network, although North Korea did announce several updates to its missile program following the breach, so the two may be linked.

Microsoft’s Trouble Deepens Over Chinese Outlook Hack

Last month, Microsoft revealed damning news: China-based hackers stole a digital key that the company uses to cryptographically sign tokens that are assigned to users when they log in to their Outlook email accounts. The hackers used this stunning access to break into the Outlook accounts of at least 25 organizations, including government bodies. But that’s only the start of the problems for Microsoft.

US senator Ron Wyden, an Oregon Democrat, sent a letter this week demanding three federal inquiries into Microsoft’s “negligent cybersecurity practices,” The Wall Street Journal reports. Wyden also asked that the Cyber Safety Review Board, which the Biden administration created to investigate cybersecurity incidents, also look into the incident. And according to Bloomberg News, the review board is already planning to do just that.

Wyden’s letter, which is dated July 27, demands that the Department of Justice, the Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency all launch investigations. Microsoft, for its part, tells the Journal that it plans to fully cooperate with any federal inquiries into the hack.

Related Articles

Latest Articles